Every Gravity Forms implementation eventually needs file uploads. Whether you are collecting resumes on a job application, gathering documents for a client onboarding form, or accepting photos for an insurance claim, the File Upload field is one of the most powerful — and most misconfigured — features in the entire plugin. A poorly configured upload field can open security holes, frustrate mobile users with confusing error messages, or grind your server to a halt when someone tries to submit a 200 MB video.
This guide walks through every practical aspect of Gravity Forms file uploads: server-side limits, security hardening, cloud storage options, performance tuning, and the add-ons that fill the gaps the core field leaves open.
How the Gravity Forms File Upload Field Works
The File Upload field lives in the Advanced Fields panel of the Gravity Forms editor. Drag it onto a form and you get three configuration options that matter immediately:
- Allowed file extensions — a comma-separated list of permitted file types (e.g.,
pdf, jpg, png, docx). Leaving this blank allows any file type WordPress permits, which is a security risk you should not accept. - Enable Multi-File Upload — toggles between a single-file chooser and a drag-and-drop zone that accepts multiple files. Once an entry has been submitted using one mode, you cannot switch to the other without deleting those entries first.
- Maximum File Size — sets a per-file limit in megabytes. If you leave this blank, the field defaults to whatever your PHP configuration allows, which on many hosts is 256 MB.
When a user submits a form, uploaded files land in /wp-content/uploads/gravity_forms/{form-id}-{hash}/. The hash is a salted HMAC-MD5 value that makes the folder path effectively unguessable. Gravity Forms also drops an .htaccess file in the root uploads directory to block PHP execution inside those folders, and it regenerates that file daily through a WordPress cron job.
Server-Side Upload Limits You Need to Check
Gravity Forms can only accept files as large as your server allows. Three PHP directives control this, and all three must be high enough for your largest expected upload:
| PHP Directive | What It Controls | Recommended Value |
|---|---|---|
upload_max_filesize |
Maximum size of a single uploaded file | 64M for most forms; 256M if accepting video |
post_max_size |
Maximum size of the entire POST request (all files + form data combined) | Should be larger than upload_max_filesize. 96M minimum for multi-file uploads. |
max_execution_time |
How many seconds PHP will process the request before timing out | 300 (5 minutes) for large uploads; default 30 seconds is too low |
You can check your current values by navigating to Tools > Site Health > Info > Server in your WordPress dashboard, or by creating a temporary phpinfo() page.
How to Increase PHP Upload Limits
The method depends on your hosting environment. Here are the four most common approaches, in order of reliability:
- Hosting control panel — managed WordPress hosts like WP Engine, Cloudways, and SiteGround provide a PHP settings panel where you can adjust these values directly. This is the safest and most persistent method.
- php.ini or .user.ini — create or edit a
.user.inifile in your WordPress root directory:upload_max_filesize = 64M post_max_size = 96M max_execution_time = 300 - .htaccess — add these lines to your site’s
.htaccessfile (Apache servers only):php_value upload_max_filesize 64M php_value post_max_size 96M php_value max_execution_time 300 - wp-config.php — this method only works for the memory limit, not upload size:
define('WP_MEMORY_LIMIT', '256M');
After changing these values, restart your server or wait for the config to reload (most shared hosts pick up .user.ini changes within five minutes). Then verify the new limits through Site Health.
Security Hardening for File Uploads
File upload fields are the single most common attack vector in WordPress form plugins. Gravity Forms applies solid defaults — our complete security hardening guide covers the full picture — but for file uploads specifically, you should go further.
Always Restrict File Extensions
Never leave the “Allowed file extensions” field blank. For every form, define exactly what file types you expect:
- Document collection forms:
pdf, docx, xlsx, csv - Photo submission forms:
jpg, jpeg, png, webp - Design or proof-of-concept forms:
pdf, png, svg, ai, psd - General support tickets:
pdf, jpg, jpeg, png, txt, zip
Even when you restrict extensions, Gravity Forms performs an additional check: it verifies that the uploaded file’s actual MIME type matches its extension. A file named malware.jpg that is actually a PHP script will be rejected. This behavior is controlled by the gform_file_upload_whitelisting_disabled filter — do not disable it unless you fully understand the implications.
Require Authentication for Downloads
By default, anyone who knows (or guesses) the URL of an uploaded file can download it. For sensitive documents, add this filter to your theme’s functions.php or a code snippets plugin:
add_filter( 'gform_require_login_pre_download', '__return_true' );This forces users to be logged into WordPress before they can access any file uploaded through Gravity Forms. For more granular control, use the gform_permission_granted_pre_download filter to check user roles or capabilities.
Monitor Your Upload Directory
Gravity Forms stores uploads outside the WordPress Media Library by default. This means standard media management plugins and security scanners may miss them. Consider scheduling regular audits of /wp-content/uploads/gravity_forms/ to check for unexpected files. WordPress security plugins like Wordfence can be configured to scan custom directories.
Performance Optimization for File Upload Forms
Forms with file upload fields behave differently from standard text forms. Uploads consume bandwidth, disk I/O, and server processing time. Here is how to keep them fast.
Set Reasonable File Size Limits
Do not set a 256 MB limit when your form only needs 5 MB PDFs. Every megabyte matters for server performance and user experience. Set the Gravity Forms field-level limit to the smallest practical value — this overrides the server maximum and provides a clear error message when exceeded.
Use Multi-File Upload Wisely
Multi-file upload mode uses AJAX to upload each file individually before the form is submitted. This is better for the user experience because files upload in the background, but it can increase server load if users upload many large files simultaneously. Set a reasonable “Maximum Number of Files” limit (3-5 for most use cases).
Consider Chunked or Resumable Uploads
The core File Upload field does not support chunked uploads. If your forms need to accept files larger than 50 MB, the File Upload Pro add-on handles this more gracefully with real-time progress indicators and better error recovery. For truly large file transfers (video production, architectural plans), consider an external upload service like Dropbox or Google Drive and link to the shared file from the form instead.
Move Uploaded Files Off Your Web Server
For high-volume forms, storing thousands of uploaded files on your WordPress server degrades backup performance and increases storage costs. Use one of these strategies to offload files:
- Dropbox add-on — the official Gravity Forms Dropbox add-on sends uploaded files directly to your Dropbox account after submission.
- Zapier automation — the Gravity Forms Zapier add-on can trigger a file transfer to Google Drive, OneDrive, Amazon S3, or any service Zapier supports.
- Custom PHP with
gform_after_submission— developers can hook into this action to transfer files to any external API or storage service programmatically. - The
gform_upload_pathfilter — redirect uploads to a directory outside your web root or to a cloud-synced folder. This works at the server level and requires no third-party service.
Styling and UX Improvements
The default single-file upload field is a plain browser input that looks different on every operating system. Here are three quick improvements that require no custom code:
- Switch to the Orbital form theme. Introduced in Gravity Forms 2.7, the Orbital theme modernizes every field type, including file uploads. Navigate to your form’s settings and change the form theme from “None” to “Orbital.”
- Enable multi-file upload even for single files. If you want the drag-and-drop interface but only need one file, enable Multi-File Upload and set Maximum Number of Files to 1. Users get a clean drop zone instead of the dated “Choose File” button.
- Combine both. Enabling the Orbital theme along with multi-file mode produces the cleanest interface — a styled drop zone with clear instructions, file previews, and upload status indicators.
Attaching Uploads to Email Notifications
Gravity Forms can attach uploaded files directly to notification emails (see our complete email notifications guide for deeper configuration). In your form settings, go to Notifications, edit or create a notification, and check “Attach uploaded fields to notification.”
A few caveats to keep in mind:
- Email attachments increase the size of outgoing messages. Most SMTP providers cap messages at 10-25 MB. If your form accepts large files, the notification may silently fail or be rejected by the recipient’s mail server.
- For large files, include a download link in the notification body instead of attaching the file. Use the
{File Upload:ID}merge tag to insert the file URL. - If you use an SMTP plugin for email delivery, verify its attachment size limit separately from your form’s upload limit.
File Upload Pro: When the Core Field Is Not Enough
The built-in File Upload field handles the basics, but it lacks features that professional and high-traffic forms need. Gravity Forms’ own File Upload Pro add-on (developed by Gravity Wiz) fills many of these gaps:
| Feature | Core File Upload | File Upload Pro |
|---|---|---|
| Drag-and-drop interface | Multi-file mode only | All modes |
| Image previews | No | Yes, with zoom |
| Image cropping | No | Yes, with stencils (circle, square, custom ratios) |
| Automatic image resizing | No | Yes, configurable dimensions |
| Real-time validation | No (server-side only) | Yes, instant feedback |
| File type icons | No | Yes, modern iconography |
| Sort uploaded files | No | Yes, drag to reorder |
File Upload Pro works as an enhancement layer on top of existing File Upload fields. If you deactivate the add-on, fields gracefully fall back to core behavior — no data loss, no broken forms.
Collecting Video Instead of Files
Sometimes what users really need to submit is not a file but a screen recording or video explanation. Accepting raw video files through a form creates problems: large file sizes, inconsistent formats, and no playback infrastructure. Our own Loom for Gravity Forms add-on solves this by letting respondents record and submit Loom videos directly within a Gravity Forms field. Respondents do not need a Loom account, recordings upload to Loom’s infrastructure instead of your server, and the resulting entry stores a playback link rather than a massive video file. For support forms, bug reports, and client feedback workflows, this is significantly more practical than asking users to upload a screen recording as a file attachment.
Skip the File Upload Headaches for Video
Our Loom for Gravity Forms add-on lets form respondents record and submit screen recordings, camera videos, or both directly inside any Gravity Forms field. No Loom account required for respondents. Videos upload to Loom’s servers, not yours — eliminating the file size, format, and storage problems that come with accepting raw video uploads.
Common File Upload Errors and Fixes
These are the most frequent file upload issues and their solutions:
FAILED (Temporary file could not be moved)
The server’s temporary upload directory (/tmp on most Linux hosts) either does not exist, is full, or has incorrect permissions. Contact your hosting provider to check the upload_tmp_dir PHP setting and verify the directory is writable. The Gravity Forms troubleshooting guide covers additional fixes.
FAILED (upload folder could not be created)
Gravity Forms cannot create its hash-based upload subfolder. This usually means the /wp-content/uploads/gravity_forms/ directory has incorrect ownership or permissions. Set the directory to 755 and ensure it is owned by the web server user (typically www-data or nginx).
Multi-File Upload toggle is grayed out
Once a form has received at least one entry with an uploaded file, you cannot switch between single-file and multi-file mode. To unlock this setting, delete all entries for that form (or add a new File Upload field and set the old one to Administrative only).
Files upload but do not appear in notification emails
Check that the “Attach uploaded fields to notification” checkbox is enabled. Also verify that the combined file size does not exceed your SMTP provider’s message size limit. Large attachments may be silently dropped.
Upload fails on mobile devices
Navigate to Forms > Settings and enable HTML5 output mode. This ensures the file input uses modern browser APIs that mobile devices support. Also confirm that your allowed file extensions include formats that phone cameras produce (typically jpg, jpeg, heic, mp4).
Recommended File Upload Configurations by Use Case
Here are field settings that work well for common scenarios:
| Use Case | Extensions | Max Size | Multi-File | Max Files |
|---|---|---|---|---|
| Job application (resume + cover letter) | pdf, docx | 5 MB | Yes | 2 |
| Photo submission (real estate, insurance) | jpg, jpeg, png, webp | 10 MB | Yes | 10 |
| Client onboarding (mixed documents) | pdf, docx, xlsx, csv, jpg, png | 15 MB | Yes | 5 |
| Support ticket (screenshots + logs) | jpg, jpeg, png, txt, pdf, zip | 10 MB | Yes | 3 |
| Student assignment submission | pdf, docx, pptx | 20 MB | No | 1 |
| Design proof approval | pdf, png, jpg, ai, svg | 25 MB | Yes | 5 |
These settings balance security (tight extension lists), usability (reasonable size limits), and performance (controlled file counts). Adjust the values based on what your users actually need to submit — check your existing entries to see the typical file sizes and types people upload before tightening or loosening limits.
Are Your Upload Forms Actually Working?
File upload fields have higher abandonment rates than any other field type. Our Form Analytics Pro for Gravity Forms add-on tracks exactly where users drop off — including the file upload step. Zero-config setup, field-level conversion data, and real-time abandonment tracking so you can see whether your upload limits or file type restrictions are costing you submissions.
Keeping Your Upload Workflow Reliable
File uploads add moving parts to your forms that plain text fields do not have. The upload touches your PHP configuration, file system permissions, web server rules, email delivery pipeline, and potentially third-party storage services. The most reliable upload workflows are the ones where you define exact expectations — which file types, how large, how many — and then test those limits from a device that matches what your actual users will use. Submit a test entry from a phone over cellular data. Try uploading a file that is one megabyte over the limit and verify the error message makes sense. Send yourself the notification and confirm the attachment arrives. These five minutes of testing prevent the support tickets that inevitably arrive when a form with file uploads goes live without being exercised against its own rules.
